Multiple vulnerabilities in Discourse
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2023-37904 CVE-2023-38684 CVE-2023-37467 CVE-2023-38498 CVE-2023-37906 |
| CWE-ID | CWE-362 CWE-770 CWE-323 CWE-400 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Discourse Web applications / Forum & blogging software |
| Vendor | Civilized Discourse Construction Kit, Inc. |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Race condition
EUVDB-ID: #VU78758
Risk: Low
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-37904
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a race condition in Accept Invite. A remote user can exploit the race and create more users than permitted from invite links.
MitigationInstall updates from vendor's website.
Vulnerable software versionsDiscourse: 3.0.5 - 3.1.0 beta6
CPE2.3- cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:3.1.0:beta6:*:*:*:*:*:*
http://github.com/discourse/discourse/commit/62a609ea2d0645a27ee8adbb01ce10a5e03a600b
http://github.com/discourse/discourse/security/advisories/GHSA-6wj5-4ph2-c7qg
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU78770
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-38684
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to unbounded limits in various controller actions. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsDiscourse: 3.0.5 - 3.1.0 beta6
CPE2.3- cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:3.1.0:beta6:*:*:*:*:*:*
http://github.com/discourse/discourse/security/advisories/GHSA-ff7g-xv79-hgmf
http://github.com/discourse/discourse/commit/bfc3132bb22bd5b7e86f428746b89c4d3d7f5a70
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Reusing a Nonce, Key Pair in Encryption
EUVDB-ID: #VU78763
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-37467
CWE-ID:
CWE-323 - Reusing a Nonce, Key Pair in Encryption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the CSP (Content Security Policy) nonce reuse issue. A remote user can bypass CSP protection.
MitigationInstall updates from vendor's website.
Vulnerable software versionsDiscourse: 3.1.0 beta6
CPE2.3 External linkshttp://github.com/discourse/discourse/commit/0976c8fad6970b6182e7837bf87de07709407f25
http://github.com/discourse/discourse/security/advisories/GHSA-gr5h-hm62-jr3j
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU78761
Risk: Low
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-38498
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the defer queue. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsDiscourse: 3.0.5 - 3.1.0 beta6
CPE2.3- cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:3.1.0:beta6:*:*:*:*:*:*
http://github.com/discourse/discourse/commit/26e267478d785e2f32ee7da4613e2cf4a65ff182
http://github.com/discourse/discourse/security/advisories/GHSA-wv29-rm3f-4g2j
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU78759
Risk: Low
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-37906
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the post edit reason. A remote user can edit a post in a topic and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsDiscourse: 3.0.5 - 3.1.0 beta6
CPE2.3- cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:3.1.0:beta6:*:*:*:*:*:*
http://github.com/discourse/discourse/security/advisories/GHSA-pjv6-47x6-mx7c
http://github.com/discourse/discourse/commit/dcc825bda505a344eda403a1b8733f30e784034a
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
